Providing an API-key from user prevents access to public scenarios on /api/v3/scenarios when copying a scenario

[thesethtruth]

Current behavior

1. No token or invalid token is accepted to copy a public scenario ✅
2. Personal token/API-key that is not the same as the public scenario's 'creator/owner' does not work ❌

Exp. 1 - using example YOUR_TOKEN as auth (so not a valid key) ✅

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
    "Authorization": "Bearer YOUR_TOKEN"
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
>> 200
>> 'OK'

Exp. 2 - without auth ✅

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
>> 200
>> 'OK'

Exp. 3 - with actually existing API key (but not of scenario owner) ❌

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
    "Authorization": "Bearer <VALID_KEY>"
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
print(response.json()['errors'])
>> 403
>> 'Forbidden' 
>> ['Scenario does not belong to you']

Expected behaviour

Regardless of the Auth bearer I want to be able to copy public scenarios.

[noracato]

Thanks @thesethtruth for your issue! I'll put it on our dev backlog